IPSec spd.conf automatic creation modification



  • Hi All,
    I have 2 Lan interfaces routing all traffic through an IPSec Tunnel.
    The LAN interface is still reachable from the LAN, however the OPT1 interface is not reachable due to the automatic added routes when a IPSec tunnel is created.
    I am using PFSense 2.1.5 as editing the routes for IPSec is impossible with 2.2

    The auto added routes which make the interface still reachable are generated through file: /etc/inc/vpn.inc
    from line 847 to 866 (see below:
    /* generate spd.conf /
    $spdconf = "";
    $natfilterrules = false;
    if (is_array($a_phase2) && count($a_phase2)) {
    /
    Try to prevent people from locking themselves out of webgui. Just in case. */
    if ($config['interfaces']['lan']) {
    $lanip = get_interface_ip("lan");
    if (!empty($lanip) && is_ipaddrv4($lanip)) {
    $lansn = get_interface_subnet("lan");
    $lansa = gen_subnet($lanip, $lansn);
    $spdconf .= "spdadd -4 {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
    $spdconf .= "spdadd -4 {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";
    }
    $lanipv6 = get_interface_ipv6("lan");
    if (!empty($lanipv6) && is_ipaddrv6($lanipv6)) {
    $lansnv6 = get_interface_subnetv6("lan");
    $lansav6 = gen_subnetv6($lanipv6, $lansnv6);
    $spdconf .= "spdadd -6 {$lanipv6}/128 {$lansav6}/{$lansnv6} any -P out none;\n";
    $spdconf .= "spdadd -6 {$lansav6}/{$lansnv6} {$lanipv6}/128 any -P in none;\n";
    }

    I am trying to modify the file so it does add this route for an OPT1 interface as well.
    Can someone help out? do I just change "lan" to "opt1" or what is the proper name PFSense uses to get these variables for an optional interface?
    And can I just put these lines below the initial lines?

    192.168.12.0/22 is my LAN interface
    10.11.15.0/24 is my OPT1 interface

    Basically what I am trying to achieve is to add these 2 lines to the spd.conf:
    spdadd -4 10.11.15.1/32 10.11.15.0/24 any -P out none;
    spdadd -4 10.11.15.0/24 10.11.15.1/32 any -P in none;

    These 2 lines below get autoimatically generated which makes it possible to still talk to the LAN interface when having an IPSec tunnel:
    spdadd -4 192.168.12.1/32 192.168.12.0/22 any -P out none;
    spdadd -4 192.168.12.0/22 192.168.12.1/32 any -P in none;

    Thanks
    Sebastian


Log in to reply